We also need to solve this problem for non-public security patches.
We have code in our internal tooling that merges in a branch from a repository - I’d recommend the same approach for you.
Something like this should work for you in an exec block (probably in the after_code hook):
# fetch and merge the patch
git merge REFERENCE --no-commit
bundle install # if necessary
pnpm install --frozen-lockfile # if necessary